On Mon, Aug 31, 2015 at 10:23:28AM +0200, Raphael Hertzog wrote: > Hi, Hey Raphaƫl! Thanks for the review, that's really awesome of you to do. Thanks for helping review the backlog of sbuild bugs.
> On Sun, 30 Aug 2015, Paul Tagliamonte wrote: > I note that you never remove the key at the end of the build. > And sbuild does not always use throw-away chroots... Yeah, I'm mirroring the behavior of the --extra-repository flag -- I don't see any cleanup code for that, but I may have missed it. Thoughts? > It would be nice to either fix this or document the limitation of the > option... but your patch does not include any documentation either. Updated to fix the manpage. Cheers, Paul
From c5f43eb311449f08b2a84843f9f0c63cbde2d8fb Mon Sep 17 00:00:00 2001 From: Paul Tagliamonte <[email protected]> Date: Mon, 31 Aug 2015 11:03:57 -0400 Subject: [PATCH] Add --extra-repository-key flag for extra apt keys This will allow users to specify which OpenPGP key should be added to the trusted keys inside the chroot. This is particularly useful if the target --extra-repository is not signed with a key that's trusted by the base chroot. --- lib/Sbuild/Conf.pm | 6 ++++++ lib/Sbuild/Options.pm | 3 +++ lib/Sbuild/ResolverBase.pm | 21 +++++++++++++++++++++ man/sbuild.1.in | 20 ++++++++++++++++++-- 4 files changed, 48 insertions(+), 2 deletions(-) diff --git a/lib/Sbuild/Conf.pm b/lib/Sbuild/Conf.pm index 763ecaa..ffce72f 100644 --- a/lib/Sbuild/Conf.pm +++ b/lib/Sbuild/Conf.pm @@ -1069,6 +1069,12 @@ sub setup ($) { DEFAULT => [], HELP => 'Additional per-build packages available as build dependencies. Do not set by hand.' }, + 'EXTRA_REPOSITORY_KEYS' => { + TYPE => 'ARRAY:STRING', + GROUP => '__INTERNAL', + DEFAULT => [], + HELP => 'Additional per-build apt repository keys. Do not set by hand.' + }, 'EXTRA_REPOSITORIES' => { TYPE => 'ARRAY:STRING', GROUP => '__INTERNAL', diff --git a/lib/Sbuild/Options.pm b/lib/Sbuild/Options.pm index 587acad..b47b3f5 100644 --- a/lib/Sbuild/Options.pm +++ b/lib/Sbuild/Options.pm @@ -313,6 +313,9 @@ sub set_options { "extra-repository=s" => sub { push(@{$self->get_conf('EXTRA_REPOSITORIES')}, $_[1]); }, + "extra-repository-key=s" => sub { + push(@{$self->get_conf('EXTRA_REPOSITORY_KEYS')}, $_[1]); + }, "build-path=s" => sub { $self->set_conf('BUILD_PATH', $_[1]); }, diff --git a/lib/Sbuild/ResolverBase.pm b/lib/Sbuild/ResolverBase.pm index 5d85f60..07b92eb 100644 --- a/lib/Sbuild/ResolverBase.pm +++ b/lib/Sbuild/ResolverBase.pm @@ -1000,6 +1000,27 @@ EOF } } + for my $repokey (@{$self->get_conf('EXTRA_REPOSITORY_KEYS')}) { + debug("Adding apt-key: $repokey\n"); + if (!-f $repokey) { + $self->log("Failed to add apt-key '${repokey}' - it doesn't exist!\n"); + $self->cleanup_apt_archive(); + return 0; + } + my ($tmpfh, $tmpfilename) = tempfile(DIR => $session->get('Location') . "/tmp"); + copy($repokey, $tmpfh); + close($tmpfh); + $session->run_command( + { COMMAND => ['apt-key', 'add', $session->strip_chroot_path($tmpfilename)], + USER => 'root', + PRIORITY => 0}); + if ($?) { + $self->log("Failed to add external apt key.\n"); + $self->cleanup_apt_archive(); + return 0; + } + } + # Write a list file for the dummy archive if one not create yet. if (! -f $dummy_archive_list_file) { my ($tmpfh, $tmpfilename) = tempfile(DIR => $session->get('Location') . "/tmp"); diff --git a/man/sbuild.1.in b/man/sbuild.1.in index e5d1e4a..39cae07 100644 --- a/man/sbuild.1.in +++ b/man/sbuild.1.in @@ -80,6 +80,7 @@ sbuild \- build debian packages from source .RB [ \-\-resolve\-alternatives \[or] \-\-no\-resolve\-alternatives ] .RB [ \-\-extra\-package=\fIpackage.deb\fP ] .RB [ \-\-extra\-repository=\fIspec\fP ] +.RB [ \-\-extra\-repository\-key=\fIfile.asc\fP ] .RB [ \-\-build\-path=\fIstring\fP ] .RB [ PACKAGE [ .dsc ]] .SH DESCRIPTION @@ -450,8 +451,23 @@ file. For instance, you might use .hy to allow packages in the experimental distribution to fulfill build-dependencies. Note that the build chroot must already trust the -key of this repository (see -.BR apt-secure (8)). +key of this repository or a key must be given with the +.nh +.B \-\-extra\-repository-key +.hy +flag. (see +.BR apt-secure (8)) +.TP +.BR \-\-extra\-repository-key=\fIfile.asc\fP +Add \fIfile.asc\fP to the list of trusted keys inside the chroot. The key is +read from the filename given, and added using +.BR apt-key (8). +This flag is particularly useful if the target in +.nh +.B --extra-repository +.hy +is not signed +with a key that's trusted by the base chroot. .TP .BR \-\-build\-path=\fIstring\fP By default the package is built in a path of the following format /build/packagename-XXXXXX/packagename-version/ where XXXXXX is a random ascii string. This option allows one to specify a custom path where the package is built inside the chroot. Notice that the sbuild user in the chroot must have permissions to create the path. Common writable locations are subdirectories of /tmp or /build. The buildpath must be an empty directory because the last component of the path will be removed after the build is finished. If you are running multiple sbuild instances with the same build path in parallel for the same package, make sure that your build path is not in a directory commonly mounted by all sbuild instances (like /tmp or /home). In that case, use for example /build instead. Otherwise, your builds will probably fail or contain wrong content. -- 2.5.0
signature.asc
Description: Digital signature
